Re: [controller-dev] [infrautils-dev] credentials for REST to jolokia/exec/org.opendaylight.infrautils.diagstatus


Ryan Goulding <ryandgoulding@...>
 

Jamo, can you comment on code version?  Thanks!

Regards,

Ryan Goulding

On Thu, Apr 5, 2018 at 7:10 AM, Ryan Goulding <ryandgoulding@...> wrote:
What version of code? This wasn’t tied to AAA until oxygen. Prior it was controlled by etc/or.jolokia.osgi.cfg.

Thanks,
Ryan


On Apr 5, 2018, at 12:32 AM, Michael Vorburger <vorburger@...> wrote:

JamO, +aaa-dev and +controller-dev and Stephen FYI:

On Wed, Apr 4, 2018 at 10:24 PM, Jamo Luhrsen <jluhrsen@...> wrote:
Hi Utility folks,

I noticed in a local setup I have where I've changed the default username
and password for RESTCONF, that I still need to use the admin:admin creds
to hit the diagstatus endpoint.

I'm guessing that's just because this is not tied in to the magic of
AAA and/or RESTCONF creds.

Gotta just live with it, or would it be an easy thing to add, just to keep
things more intuitive?

This seems like a bug (bad one, security wise), but it's not for infrautils-dev - we don't actually do anything re. Jolokia in project infrautils, the diagstatus sub-module simply exposes a JMX bean... the code related to the Jolokia integration in ODL which then make makes this available via HTTP, and secures it with the AAA creds (also used by RESTCONF; there are no creds in RESTCONF itself FYI), is actually in controller and/or aaa (I'm not 100% sure myself what is where)... see https://jira.opendaylight.org/browse/AAA-147 and https://jira.opendaylight.org/browse/CONTROLLER-1324

If you are right, we have this problem (that when changing the default username and password you can still use the previous one) on *ALL* /jolokia/ URLs, I'm guessing.

Would you like to open a (Critical?) bug in JIRA against AAA about this?

Tx,
M.
--
Michael Vorburger, Red Hat
vorburger@... | IRC: vorburger @freenode | ~ = http://vorburger.ch
 
example curl:

curl -u "admin:admin" http://192.168.24.11:8081/jolokia/exec/org.opendaylight.infrautils.diagstatus:type=SvcStatus/acquireServiceStatus

Thanks,
JamO
_______________________________________________
infrautils-dev mailing list
infrautils-dev@...ght.org
https://lists.opendaylight.org/mailman/listinfo/infrautils-dev

_______________________________________________
controller-dev mailing list
controller-dev@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/controller-dev

Join z.archive.aaa-dev@lists.opendaylight.org to automatically receive all group messages.